aws/cert-manager: Tighten IAM permissions for cert-manager

This change restricts which record types and domain prefixes
cert-manager is allowed to change for DNS01 acme challenges.

Only _acme-challenge.* TXT records may be created/updated/removed.

Implements kubernetes#15680

pkg/model/components/addonmanifests/certmanager/iam.go

@@ -57,12 +57,24 @@ func addCertManagerPermissions(b *iam.PolicyBuilder, p *iam.Policy) {
 
 	p.Statement = append(p.Statement, &iam.Statement{
 		Effect: iam.StatementEffectAllow,
-		Action: stringorset.Of("route53:ChangeResourceRecordSets",
-			"route53:ListResourceRecordSets",
-		),
+		Action: stringorset.Of("route53:ListResourceRecordSets"),
 		Resource: stringorset.Set(zoneResources),
 	})
 
+	p.Statement = append(p.Statement, &iam.Statement{
+		Effect: iam.StatementEffectAllow,
+		Action: stringorset.Of("route53:ChangeResourceRecordSets"),
+		Resource: stringorset.Set(zoneResources),
+		Condition: iam.Condition{
+			"ForAllValues:StringLike": map[string]interface{}{
+				"route53:ChangeResourceRecordSetsNormalizedRecordNames": []string{"_acme-challenge.*"},
+			},
+			"ForAllValues:StringEquals": map[string]interface{}{
+				"route53:ChangeResourceRecordSetsRecordTypes": []string{"TXT"},
+			},
+		},
+	})
+
 	p.Statement = append(p.Statement, &iam.Statement{
 		Effect:   iam.StatementEffectAllow,
 		Action:   stringorset.Set([]string{"route53:GetChange"}),